Re: [libvirt] [PATCH 2/2] Fix apparmor profile to make vfio pci passthrough work
Hello Serge,
On Mon, 2014-03-24 at 22:21 -0500, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdonnat(a)suse.com):
> See lp#1276719 for the bug description. As virt-aa-helper doesn't know
Great, thanks for addressing this.
> the VFIO groups to use for the guest,
Is there really no way for it to know that (based on xml)? If not then
I guess this is the way to go - though even in that case could we at
least have virt-aa-helper only allow access to all vfio* only when vfio
pci is required?
Sadly the vfio group is handled on the qemu side, there is nothing on
the xml side. But I surely can change the patch to add the vfio rule to
the *.files part of the profile and only when vfio is needed by the
guest: that would restrain the access a bit.
--
Cedric